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Abstract — A  botnet  in  mobile  networks  is  a  collection  of 
compromised  nodes  due  to  mobile  malware,  which  are  able  to 
perform  coordinated  attacks.  Different  from  Internet  botnets, 
mobile  botnets  do  not  need  to  propagate  using  centralized 
infrastructures,  but  can  keep  compromising  vulnerable  nodes  in 
close  proximity  and  evolving  organically  via  data  forwarding. 
Such  a  distributed  mechanism  relies  heavily  on  node  mobility 
as  well  as  wireless  links,  therefore  breaks  down  the  underlying 
premise  in  existing  epidemic  modeling  for  Internet  botnets. 

In  this  paper,  we  adopt  a  stochastic  approach  to  study  the 
evolution  and  impact  of  mobile  botnets.  We  find  that  node 
mobility  can  be  a  trigger  to  botnet  propagation  storms:  the 
average  size  (i.e.,  number  of  compromised  nodes)  of  a  botnet 
increases  quadratically  over  time  if  the  mobility  range  that  each 
node  can  reach  exceeds  a  threshold;  otherwise,  the  botnet  can 
only  contaminate  a  limited  number  of  nodes  with  average  size 
always  bounded  above.  This  also  reveals  that  mobile  botnets  can 
propagate  at  the  fastest  rate  of  quadratic  growth  in  size,  which 
is  substantially  slower  than  the  exponential  growth  of  Internet 
botnets.  To  measure  the  denial-of-service  impact  of  a  mobile 
botnet,  we  define  a  new  metric,  called  last  chipper  time ,  which 
is  the  last  time  that  service  requests,  even  partially,  can  still  be 
processed  on  time  as  the  botnet  keeps  propagating  and  launching 
attacks.  The  last  chipper  time  is  identified  to  decrease  at  most 
on  the  order  of  1  /y/B,  where  B  is  the  network  bandwidth.  This 
result  reveals  that  although  increasing  network  bandwidth  can 
help  with  mobile  services;  at  the  same  time,  it  can  indeed  escalate 
the  risk  for  services  being  disrupted  by  mobile  botnets. 

I.  Introduction 

With  the  proliferation  of  smart  handheld  devices  and  the 
exploded  number  of  malware  on  mobile  platforms,  a  mobile 
botnet  [1],  [2],  which  is  a  collection  of  compromised  (or 
infected)  mobile  nodes,  that  can  perform  coordinated  attacks, 
no  longer  occurs  in  theory,  but  comes  into  practice.  For 
example,  Ikee.B  [3]  in  2009  was  found  to  include  command 
and  control  logic  to  render  a  number  of  infected  iPhones 
under  the  control.  In  2012,  Symantec  found  a  large  botnet 
Android. Bmaster  [4]  in  China  that  had  infected  an  estimate  of 
hundreds  of  thousands  of  Android  phones.  As  a  result,  mobile 
botnets  have  already  become  one  of  the  most  serious  security 
threats  to  today’s  mobile  networks  and  applications. 

A  mobile  botnet  can  compromise  vulnerable  nodes  by 
sending  malware  via  centralized  infrastructures  (e.g.,  using 
short  and  multimedia  message  services  [1],  [4],  [5]).  However, 
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to  eschew  increasingly  enhanced  monitoring  of  cellular  infras¬ 
tructures,  a  stealthy  way  for  propagation  is  to  stay  off  the  radar 
and  spread  to  vulnerable  nodes  nearby,  which  has  been  adopted 
in  existing  malware,  such  as  Mabir,  Lansco  and  CPMC  [6]. 
A  challenging  question  is  how  botnets  propagate  via  such 
proximity  infection,  especially  how  they  behave  in  mobile 
networks  compared  with  their  forerunners  in  the  Internet. 

Extensive  works  have  investigated  Internet  malware  prop¬ 
agation  using  epidemic  modeling  (e.g.,  [7],  [8]),  which  pre¬ 
sumes  a  condition  that  an  infected  node  can  compromise  other 
vulnerable  nodes  with  equal  probability.  A  few  studies  [9], 
[10]  have  adapted  epidemic  modeling  to  characterize  mobile 
malware  based  on  simplistic  random  movements,  where  the 
equal-probability  assumption  still  holds.  These  prior  efforts 
conclude  that  using  proximity  infection,  malware  can  continue 
infecting  more  nodes  without  using  infrastructures,  thereby 
leading  to  severe  epidemics.  This  result  is  also  observed  by 
a  number  of  experiments  [1 1]— [13].  Interestingly,  however,  a 
recent  paper  [14]  draws  an  opposite  conclusion  based  on  simu¬ 
lations  that  proximity  infection  only  affects  a  limited  number 
of  nodes  and  is  far  less  concerning  in  urban  environments 
where  node  susceptibility  is  relatively  low.  These  somewhat 
discrepant  results  may  be  due  to  different  system  setups, 
such  as  transmission  range  and  random  mobility.  Nonetheless, 
the  primary  reason  is  still  unclear.  As  a  result,  it  is  not  yet 
fully  understood  how  proximity  infection  can  cause  a  botnet 
propagation  storm  and  what  the  impact  is  in  mobile  networks. 

In  this  paper,  we  are  motivated  to  address  this  open  question 
by  considering  a  practical  scenario  with  heterogeneous  mobil¬ 
ity,  in  which  nodes  are  more  likely  to  move  around  in  certain 
areas.  Such  heterogeneity  inevitably  breaks  the  premise  of 
equal-probability  infection  used  in  existing  epidemic  modeling 
[9],  [10].  Thus,  we  take  a  stochastic  approach  to  study  how 
a  mobile  botnet  evolves.  In  particular,  we  denote  by  S(t)  the 
set  of  infected  nodes  in  a  mobile  botnet  at  time  t.  The  botnet 
originates  from  an  initially  infected  node  that  starts  to  move 
around  and  compromise  nearby  vulnerable  nodes  at  time  0. 
We  are  interested  in  how  the  botnet  size  |<S(£)|  (defined  as  the 
number  of  infected  nodes  in  the  botnet)  increases  over  time  t. 

Our  results  reveal  an  interesting  dichotomy  of  mobile  botnet 
propagation:  the  average  size  of  a  mobile  botnet  E|<S(£)|  either 
grows  quadratically  over  time  t  or  is  always  bounded  above.  In 
particular,  given  node  density  A,  wireless  transmission  range  r, 
and  mobility  radius  a  that  is  the  maximum  range  that  a  node 
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can  reach,  we  find  that  as  long  as  A (2 a+r)2  exceeds  a  thresh¬ 
old,  E|<S(£)|  is  a  quadratical  function  of  t\  otherwise,  | S(t)\ 
is  finite  almost  surely  with  eventual  size  |<S(oc)|  exponentially 
distributed.  This  means  that  with  fixed  network  setups  A  and  r, 
sufficient  mobility  (i.e.,  mobility  radius  a  becomes  large)  can 
provoke  mobile  botnet  propagation  from  limited  infection  to 
epidemics.  Therefore,  our  findings  not  only  serve  as  a  bridge  to 
connect  two  discrepant  results  in  the  literature,  but  also  reveal 
that  mobile  botnets  via  proximity  infection  can  propagate  at 
the  fastest  rate  of  quadratic  growth,  which  is  much  slower  than 
the  exponential  growth  of  Internet  botnets. 

In  order  to  measure  the  denial-of- service  impact  of  a  mobile 
botnet  with  quadratic  growth  in  size,  we  define  last  chipper 
time ,  the  last  time  moment  that  a  required  ratio  cr  of  service 
requests  from  mobile  nodes  to  a  service  center  can  still  be 
processed  on  time,  while  the  botnet  keeps  propagating  and 
attacking.  We  find  that  the  last  chipper  time  decreases  at  most 
on  the  order  of  1  jyjB  log(l/(l— cr)),  where  B  is  the  network 
bandwidth.  Based  on  this,  we  can  quantitatively  assess  how 
increasing  network  bandwidth  induces  the  risk  of  botnets  to 
disrupt  mobile  services.  For  example,  the  bandwidth  of  current 
cellular  networks  is  expected  to  increase  10  times  from  LTE 
to  LTE  advanced,  a  mobile  botnet,  in  the  fastest  case,  needs 
to  propagate  only  one  third  (i.e.,  l/-\/l0)  of  the  time  that  it 
spends  in  LTE  to  disrupt  the  same  service  in  LTE  advanced. 

The  reminder  of  this  paper  is  organized  as  follows.  In 
Section  II,  we  introduce  preliminaries  and  models.  In  Sec¬ 
tions  III  and  IV,  we  investigate  how  a  mobile  botnet  evolves 
and  what  its  impact  is.  Finally,  we  conclude  in  Section  V. 

II.  Preliminaries  and  Models 

In  this  section,  we  first  present  the  models  used  in  this  paper, 
then  formulate  the  research  problem. 

A.  Network  and  Mobile  Users 

We  consider  a  hybrid  mobile  network  with  two  distinct  types 
of  nodes:  mobile  nodes  that  are  common  users  moving  around 
in  the  network,  and  infrastructure  nodes  that  are  base  stations 
or  access  points  to  provide  mobile  services  to  mobile  nodes. 

There  are  n  mobile  nodes  distributed  independently  and  uni¬ 
formly  on  a  torus  surface  Q  m  [0,  y^]2  for  some  node  density 
A.  Infrastructure  nodes  form  square  cells  in  the  network,  as 
shown  in  Fig.  1(a).  They  have  the  wireless  network  interface 
that  offers  wireless  access  to  mobile  nodes.  In  addition,  they 
are  interconnected  with  each  other  via  high-speed  wireline 
networks  and  are  also  connected  to  a  data  service  center  that 
processes  service  requests  from  mobile  nodes. 

Mobile  nodes  are  able  to  communicate  directly  with  each 
other,  and  can  also  communicate  with  their  nearest  infras¬ 
tructure  nodes  for  mobile  services.  As  shown  in  Fig.  1(b), 
the  transmission  ranges  of  mobile  and  infrastructure  nodes 
are  the  same  and  denoted  by  r.  The  network  bandwidth  B 
is  shared  among  all  mobile  and  infrastructure  nodes.  Mobile 
nodes  consist  of  legitimate  nodes  and  malicious  nodes  that  are 
compromised  by  malware  and  attempt  to  infect  other  mobile 
nodes  in  the  network.  Infrastructure  nodes,  on  the  other  hand, 
are  invulnerable  to  malware  infection. 
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Fig.  1.  Network  architecture:  infrastructure  nodes  and  mobile  nodes. 


B.  Mobile  Malware  and  Botnet 

When  a  mobile  node  is  infected  by  malware,  it  may  not 
behave  legitimately.  Generally  speaking,  mobile  malware  is 
malicious  software  on  mobile  platforms  that  attempts  to  take 
control  of  a  device  and  copy  itself  to  other  susceptible  devices, 
which  is  called  malware  propagation  [1],  [3].  More  danger¬ 
ously,  if  mobile  nodes  are  infected  by  the  same  malware, 
they  can  form  a  mobile  botnet  [2],  [3]  that  is  a  collection  of 
compromised  mobile  devices  under  the  same  control.  Mobile 
botnets  have  already  been  found  in  practice,  such  as  Ikee.B 
in  2009  [3]  and  Android.Bmaster  in  2011  [4].  In  essence, 
a  mobile  botnet  can  be  formed  in  the  following  two  ways: 
(i)  propagation  through  infrastructures  (malware  sending  its 
copies  using  short/multimedia  message  services  or  advertising 
its  applications  (APPs)  on  mobile  markets  [1],  [4],  [5]),  (ii) 
proximity  infection  (a  compromised  node  sending  malware  to 
nearby  nodes  using  peer-to-peer  wireless  links  [6],  [14]). 

Although  botnet  propagation  is  very  fast  through  infrastruc¬ 
tures,  it  can  be  easily  ceased  by  increasingly  enhanced  security 
systems  at  infrastructures  (e.g.,  Google’s  Android  kill  switch). 
Hence,  a  stealthy  and  safe  way  for  propagation  is  to  infect 
vulnerable  nodes  nearby,  because  such  proximity  infection 
can  easily  persist  and  remain  undetected  due  to  the  nature 
of  decentralized  infection  and  the  dynamic  network  topology. 
The  proximity  infection  mechanism  has  already  been  found  in 
existing  malware,  such  as  Mabir,  Lansco  and  CPMC  [6]. 
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Fig.  2.  Mobile  botnet  evolution  over  time  via  proximity  infection. 


Accordingly,  we  focus  on  the  scenario  in  which  malware 
intends  to  use  proximity  infection  to  form  a  botnet.  We 
consider  the  malware  infection  process  starting  from  one 
initially  infected  node  that  attempts  to  propagate  malware  to 
other  vulnerable  nodes  in  the  network.  As  shown  in  Fig.  2, 
a  compromised  node  propagates  malware  to  the  other  node 
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when  (i)  the  two  nodes  must  move  into  each  other’s  wireless 
transmission  range  r;  (ii)  the  other  node  must  be  susceptible 
to  malware  (a  vulnerability  ratio  n  G  (0, 1)  is  used  to  denote 
the  probability  that  a  node  is  vulnerable);  and  (iii)  the  required 
infection  time  (how  long  it  takes  to  infect  a  node)  is  randomly 
distributed  in  a  range  [Ji,^]-  This  is  because  the  spread  of 
malware  requires  some  time  for  user  or  application  interaction. 
If  two  nodes  move  out  of  each  other’s  range  and  have  no  time 
to  finish  the  interaction,  a  node  cannot  be  infected  even  if  it 
is  vulnerable.  Thus,  our  model  also  accommodates  the  case  of 
limited  contact  or  interaction  time. 

1 )  Node  Mobility:  Mobility  plays  an  essential  role  in  the 
performance  of  mobile  applications,  and  accordingly  has  sub¬ 
stantial  impacts  on  malware  propagation  [13].  We  consider  a 
generic  mobility  model  that  accounts  for  a  practical  scenario  of 
spatial  heterogeneity,  in  which  mobile  nodes  are  more  likely  to 
stay  in  certain  areas  (e.g.,  their  homes  or  offices)  and  less  likely 
to  be  in  others.  In  particular,  similar  to  existing  works  [15], 
[16],  we  define  that  for  a  mobile  node  rrii,  there  exist  a  home 
point  /zm.,  which  is  independently  and  uniformly  distributed 
over  region  Q.  We  also  define  a  mobility  radius  a  for  rrii  such 
that  rrii  moves  around  hrni  with  probability  density  function 

( x ),  which  is  invariant  in  all  directions  and  satisfies  ^(x)  >  0 
when  || x  —  hrni  ||  <a ,  and  ^(x)  =  0  otherwise.  In  addition,  all 
mobile  nodes  move  around  their  home  points  according  to 
independent  stationary  processes. 

We  assume  that  malware  can  only  compromise  the  software 
in  a  vulnerable  node,  but  cannot  decide  the  node’s  movement 
since  mobility  is  usually  determined  by  human  beings. 

C.  Problem  Formulation 

As  the  initially  infected  node  moves  around  and  intends  to 
spread  malware  to  other  vulnerable  nodes  starting  from  time  0, 
it  can  be  expected  that  more  and  more  nodes  are  infected  and 
repeat  the  same  infection  process  in  the  network.  Therefore, 
a  large-scale  mobile  botnet  might  be  built  from  the  scratch 
with  sufficient  time.  Such  a  botnet  could  be  very  detrimental 
to  mobile  users  as  well  as  mobile  service  operations. 

In  order  to  understand  the  potential  impact  of  a  mobile 
botnet,  we  first  need  to  investigate  how  it  evolves  over  time; 
i.e.,  we  are  interested  in  how  many  nodes  in  total  have  been 
infected  at  a  particular  time  t.  To  proceed,  we  define  the  size 
of  a  mobile  botnet  as  follows. 

Definition  1:  A  mobile  botnet,  denoted  by  S(t ),  is  the  set 
of  all  malware-infected  nodes  at  time  t.  The  size  of  the  botnet 
\S(t)\  is  defined  as  the  total  number  of  nodes  in  S(t). 

With  Definition  1 ,  we  further  characterize  how  fast  a  mobile 
botnet  can  spread  malware  in  the  network.  Specifically,  we 
define  the  evolution  speed  of  a  botnet  in  the  following. 

Definition  2:  The  evolution  speed  of  a  mobile  botnet,  de¬ 
noted  by  V(t),  is  defined  as  V(t)  =  E|<S(£)|/£,  where  E|<S(£)| 
is  the  average  number  of  nodes  in  S(t)  at  time  t. 

Given  Definitions  1  and  2,  we  formally  state  our  research 
problem:  for  a  mobile  botnet  originated  from  one  initially 
infected  node  at  time  0,  what  its  size  \S(t)\  and  evolution 
speed  V  (t)  are  at  time  t  >  0? 


III.  How  Does  A  Mobile  Botnet  Evolve  over  Time? 

In  this  section,  we  first  investigate  the  size  of  a  mobile 
botnet  | S(t)  |  and  its  evolution  speed  V(t),  then  use  mobility 
traces  to  show  botnet  propagation  in  realistic  environments. 

A.  The  Average  Size  and  Evolution  Speed 

From  Definition  2,  we  know  that  the  evolution  speed  of  a 
botnet  V(t)  is  based  on  the  average  size  E|5(t)|.  Thus,  we 
first  investigate  the  size  of  a  mobile  botnet  at  time  t. 

Theorem  1  (Size  of  a  mobile  botnet ):  For  a  mobile  botnet, 
its  average  size  E|<S(£)|  at  time  t  can  be  written  as 

FI  srmi  =  /  °(1)  if  K\(2a  +  r)2  =0(1) 

'  \  @(t2)  ifn\(2a-\-r)2  =  Q(lf 

where  n  is  the  vulnerability  ratio,  A  is  the  node  density,  a  is 
the  mobility  radius,  and  r  is  the  wireless  transmission  range.1 

Proof:  This  theorem  consists  of  two  parts.  We  first  consider 
the  E|<S(£)|  =  0(1)  part,  then  the  E|<S(£)|  =  @(£2)  one. 

Without  loss  of  generality,  assume  that  mobile  node  mi  is 
the  initially  infect  node  that  moves  around  in  the  network  and 
attempts  to  infect  vulnerable  nodes  as  many  as  possible.  Once 
a  node  is  infected  by  node  mi,  it  will  also  start  to  infect  others. 
This  means  that  this  node  can  be  considered  as  an  offspring  of 
node  mi.  Thus,  proximity  infection  can  be  modeled  based  on 
a  branching  process  [17]  that  characterizes  how  a  population 
evolves  from  generations  to  generations. 

We  consider  node  mi  as  the  only  node  in  the  1st  generation, 
the  nodes  directly  infected  by  node  mi  as  the  2nd  generation, 
and  so  on.  Now  construct  a  branching  process  {Zi}  satisfying 
Zi+ 1  =  Y^jL\  Yi,j>  where  Yij  is  the  number  of  nodes  infected 
directly  by  the  j- th  infected  node  of  generation  i. 

/  ^ 

/  _  \  _ 

/  \ 

/  /  \  \  /  \ 
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Fig.  3.  The  maximum  possible  range  that  a  node  can  infect  the  other. 

First  take  a  look  at  node  mi  (i.e.,  the  1st  infected  node  of 
generation  1).  As  shown  in  Fig.  3,  it  is  impossible  for  node  mi 
to  infect  a  node  whose  home  point  has  a  distance  to  mi ’s  larger 
than  2a  +  r  since  there  is  no  way  for  the  node  to  move  into 
mi’s  contact  region.  Fet  Y[  1  be  the  total  number  of  vulnerable 
nodes  that  are  able  to  move  into  the  contact  region  of  node  mi. 
Then,  it  always  holds  that  Yi?i  <  Y{  1  at  any  time.  Similarly, 
we  have  i.i.d.  random  variables  {Y(  -}  that  satisfy 

Yij  <  Y-j  for  any  ij  >  0.  (1) 

1  We  say  f(x)  =  0(g(x))  if  3  xq  and  c  >  0  such  that  f(x)  <  cg(x) 
Wx>xo.  Similarly,  f(x)  =  Q(g(x))  if  f{x)>cg(x).  Finally,  we  say  f(x)  = 
Q(g(x))  if  f(x)  =  0(g(x))  and  f(x)  =  Q(g(x))  at  the  same  time. 
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Note  that  Y(  -  denotes  the  total  number  of  vulnerable  nodes 
that  can  move  into  the  contact  region  of  the  i-th  infected  node 
of  generation  j  with  radius  2  a +r.  This  indicates  that  the  mean 
of  YY  satisfies  p  =  E iY(  -)  =  7/^A7r(2a  +  r)2  by  the  thinning 
theorem  [18],  where  7  >  0  is  the  probability  that  an  infected 
node  has  no  enough  time  to  infect  a  vulnerable  node  when 
they  meet  each  other  (i.e.,  their  contact  time  is  smaller  than 
the  required  infection  time  randomly  distributed  in  [5i,  £2])- 

Construct  a  Galton- Watson  process  {Z[}  satisfying 

z[ 

Z'i+i  —  E  Y(,j-  (2) 

J  =  1 

It  follows  from  (1)  that  Zi  <  Z[  for  i  >  0.  From  the  branching 
property,  it  holds  for  generations  z  +  1  and  i  that  E(Z'+1)  = 
/iE(Z'),  and  the  average  total  number  of  nodes  = 

1/(1  —  p)  when  fi<  1.  Thus,  if  p<  1  (i.e.,  7^A7r(2 a  +  r)2  <  1), 
the  average  botnet  size  can  be  written  as 

00 

El  Sit)  I  <  ]T  E(^)  =  1/(1  -  (4  =  ©(1),  (3) 

i—  1 

which  completes  the  E|<S(£)|  =  0(1)  part  after  we  rewrite  the 
condition  ynJ\'K(2a  +  r)2  <  1  as  n\(2a  +  r)2  =  0(1). 

Next,  we  move  on  to  the  E \S(t)\  =  0(t2)  part.  First,  it 
follows  from  Lemma  1  in  Appendix  A  that  the  average  size 
of  the  botnet  satisfies 

E\S(t)\  =  n(t2)  (4) 

for  n\(2a  +  r)2  =  fl(l). 

Thus,  it  suffices  to  show  that  E|<S(£)|  is  upper  bounded  by  a 
quadratic  function  of  t  at  the  same  time,  i.e.,  E|<S(t)|  =  0(t2). 
Note  that  it  takes  at  least  a  time  period  £1  to  propagate  the 
malware  from  one  node  to  the  other.  At  time  t ,  the  farthest 
distance  the  malware  can  propagate  is  (2a  +  r)t/Si.  In  this 
range,  the  average  number  of  vulnerable  nodes  is  K\((2a  + 
r)t/5i)2,  showing  that  E | S(t)  |  =  0(t 2).  Combining  this  upper 
bound  with  the  lower  bound  in  (4),  we  obtain  that  E|<S(£)|  = 
0(£2)  when  n\(2a  +  r)2  =  9(1).  □ 

Remark  1:  Theorem  1  reveals  interesting  phenomena  of 
mobile  botnet  propagation:  a  mobile  botnet  can  either  exhibit 
quadratic  growth  in  its  size  over  time,  or  have  a  limited  size 
without  persistent  propagation.  The  key  factor  that  determines 
which  type  of  propagation  the  botnet  has  is  the  value  of 
k\(2 a  +  r)2.  When  the  value  is  larger  than  some  constant, 
the  average  total  number  of  infected  nodes  keeps  increasing 
quadratically;  when  the  value  is  less  than  some  constant,  only 
a  limited  number  of  nodes  can  be  infected  in  the  network. 

Given  fixed  network  setups  (i.e.,  node  density  A  and  wire¬ 
less  transmission  rage  r),  Theorem  1  indicates  that  sufficient 
mobility  (i.e.,  mobility  radius  a  is  sufficiently  large)  always 
guarantees  the  quadratic  growth  in  size  for  a  mobile  botnet. 
In  this  case,  more  and  more  nodes  become  infected  as  time 
goes,  which  has  been  observed  in  [9]— [13].  On  the  other  hand, 
given  fixed  mobility  models,  sufficiently  small  vulnerability 
ratio  k  ensures  the  limited  propagation  of  a  mobile  botnet, 
which  well  explains  the  opposite  results  in  [14].  We  also  note 


that  there  may  exist  a  unique  threshold  of  n\(2a  +  r)2  to 
trigger  the  0(£2)  propagation.  However,  its  exact  value  could 
be  mathematically  intractable  to  find. 

With  Theorem  1,  the  results  on  the  evolution  speed  of  a 
mobile  botnet  are  presented  in  the  following. 

Corollary  1  ( Botnet  evolution  speed):  Given  the  conditions 
in  Theorem  1,  it  holds  for  the  evolution  speed  of  a  mobile 
botnet  V(t)  that  V(t)  =  0(1  /t)  or  V(t)  =  0(t). 

Proof:  According  to  Definition  2,  we  obtain  the  evolution 
speed  V(t)  =  E\S(t)\/t  .  Then,  the  results  of  V(t)  =  0(1  /t) 
or  V(t)  =  0(£)  follow  immediately  from  Theorem  1.  □ 

Remark  2:  It  is  well  known  that  the  malware  propagation 
speed  on  the  Internet  increases  exponentially  over  time.  Our 
results  quantitatively  show  that  mobile  malware  via  proximity 
infection  propagates  with  at  most  linearly  increasing  speed, 
which  is  significantly  less  than  its  counterpart  on  the  Internet. 

B.  Stochastic  Bound 

According  to  Theorem  1,  we  know  that  the  average  size 
of  a  mobile  botnet  with  0(1)  propagation  is  always  bounded 
above  even  if  the  time  goes  to  infinity.  In  this  case,  we  are 
also  interested  in  what  the  distribution  of  its  eventual  size  is, 
which  is  given  in  the  following. 

Theorem  2:  The  tail  distribution  of  the  eventual  size  of  a 
botnet  P(|S(oo)|  >  L)  decays  at  least  exponentially  fast  when 
n\(2a  +  r)2  =  0(1). 

Proof:  Recall  that  we  have  already  constructed  a  process  in 
(2)  that  satisfies 

00 

P(|<S(oo)|  >  L)  <  P  Cy2Z'i>L).  (5) 

i=  1 

Then,  it  suffices  to  show  that  the  distribution  of 
decays  exponentially  fast. 

First,  according  to  the  total  progeny  theorem  (Proposition 
3.4  in  [17]),  we  obtain 

00  1 

P(£  Z'i  =  0  =  e(E  yU  = 1  ~ !)  A  (6) 

i= 1  i=  1 

where  Y/i  is  the  number  of  vulnerable  nodes  whose  home 
points  fall  into  a  circle  with  radius  2 a  +  r.  With  the  net¬ 
work  size  scaling,  node  distribution  can  be  represented  as  a 
Poisson  point  process  [19],  [20].  Thus,  it  holds  for  Y/i  that 

P(J^=i  =  l  —  1)  =  1)1  •  Inserting  it  into  (6)  yields 

00 

P(E  z'i  =  l)  =  (7) 

Applying  Stirling’s  formula  (7!  =  0(1  )ll+ie~l)  to  (7),  we 
obtain 

oo 

F(J2  zl  =  0  =  0(1  )rV_1e“KM_1).  (8) 

7=1 

Therefore,  it  follows  from  (8)  that 
limlogP(E^H)  =  lim9(l)— §  log  log/T— (/x— 1) 

/  — >  OO  l  l  — >  OO  l 

-  log/i—  lim  1.5 log///  =  0(1),  (9) 

/  — >  oo 
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Fig.  4.  Size  of  the  botnet  over  time  for  two 
starting  nodes:  node  “abmuyawm”  -  solid  line, 
node  “oafhynu”  -  dotted  line. 


Fig.  5.  Size  of  the  botnet  over  time  for  vulnerable 
ratio  k=0.1,  0.4,  0.6,  and  0.8. 


Fig.  6.  Propagation  speed  over  time  for  vulnerable 
ratio  ^=0.4,  0.6,  and  0.8. 


showing  that  P(^=i  decays  exponentially,  which  com¬ 
pletes  the  proof.  □ 

Remark  3:  Theorem  2  shows  that  if  n\(2a  +  r)2  is  suffi¬ 
ciently  small,  the  distribution  of  the  size  of  a  mobile  botnet 
exhibits  exponential  decay.  In  this  case,  it  is  quite  unlikely  that 
a  botnet  can  infect  a  large  number  of  nodes  in  the  network  and 
cause  severe  impacts  on  mobile  services. 

C.  Experimental  Evaluation 

In  addition  to  theoretical  analysis,  we  use  experiments  based 
on  mobility  traces  to  investigate  mobile  botnet  propagation  in 
realistic  environments.  In  our  experiments,  we  generate  mobile 
nodes  on  a  fixed- size  map.  Each  node  moves  around  according 
to  realistic  mobility  traces.  We  randomly  choose  one  node  as 
the  initially  infected  node  that  attempts  to  propagate  malware 
to  other  vulnerable  nodes. 

In  the  first  experiment,  we  use  the  EPFL  data  set  [21],  which 
contains  mobility  traces  of  taxi  cabs  in  San  Francisco.  We 
generate  300  mobile  nodes  based  on  the  300  cab  traces  during 
a  12-day  time  period.  The  experiment  starts  at  time  0  and  we 
are  interested  in  how  many  nodes  are  infected  as  time  goes. 

Fig.  4  shows  the  botnet  size  (i.e.,  the  number  of  total 
infected  nodes)  versus  elapsed  time  with  different  initially 
infected  nodes  (cabs  “abmuyawm”  in  solid  line  and  “oafhynu” 
in  dotted  line),  different  transmission  ranges  (100m  WiFi 
and  10m  bluetooth)  and  a  constant  vulnerability  ratio  ^=0.8 
(i.e.  240  out  of  300  nodes  are  vulnerable).  It  is  noted  from 
Fig.  4  that  malware  propagation  with  WiFi  is  substantially 
faster  than  that  with  bluetooth  since  WiFi  has  a  much  larger 
transmission  range  than  bluetooth.  Moreover,  we  observe  in 
Fig.  4  that  the  botnet  size  as  a  function  of  elapsed  time 
exhibits  approximately  parabolic  curves  especially  for  the  two 
bluetooth  cases,  meaning  that  the  botnet  size  is  on  the  same 
order  of  a  quadratic  function  of  time  t,  i.e.,  @(t2). 

In  order  to  further  evaluate  the  WiFi  cases,  we  perform  a 
set  of  experiments.  Fig.  5  shows  the  botnet  size  versus  elapsed 
time  for  distinct  vulnerability  ratios  (^=0.1,  0.4,  0.6,  and  0.8). 
The  initially  infected  node  is  set  to  be  cab  “abmuyawm”  in 
the  traces,  and  all  nodes  use  WiFi  to  propagate  malware.  We 
use  a  quadratic  function  to  curve-fit  the  experimental  data  in 


Fig.  5  and  find  that  the  data  shows  the  good  trend  of  quadratic 
increase  (even  for  the  ^=0.1  case  with  sufficient  time,  which 
is  not  depicted  in  Fig.  5  due  to  the  X-axis  limit).  In  addition, 
Fig.  6  depicts  the  evolution  speed  as  a  function  of  time  with 
vulnerability  ratio  ^=0.4,  0.6,  and  0.8.  It  is  observed  from 
Fig.  6  that  the  evolution  speed  shows  the  trend  of  linear 
increase  (not  strictly  linear,  but  in  the  order  sense)  for  different 
vulnerability  ratios. 

It  is  worth  mentioning  that  during  our  experiments,  we  find 
that  malware  can  always  infect  all  vulnerable  nodes  eventually. 
The  reason  is  that  the  mobility  traces  in  the  EPFF  data  set 
are  based  on  taxi  cabs,  which  move  around  sufficiently  on  the 
map  of  San  Francisco.  In  other  words,  the  mobility  radius  a  is 
large  enough  so  that  mobility  has  already  triggered  the  0(£2) 
propagation  in  Theorem  1 . 

In  order  to  show  how  malware  can  propagate  without 
sufficient  mobility,  we  use  the  UDelModels  [22]  to  generate 
mobility  traces.  UDelModels  is  a  tool  that  can  generate  re¬ 
alistic  human  mobility  for  downtown  metropolitan  areas  with 
configurable  parameters.  The  map  used  in  our  experiments  is 
a  2km x  2km  map  in  downtown  Chicago  as  shown  in  Fig.  7. 
Detailed  setups  are  shown  in  Table  I. 

TABLE  I 

UDelModels-based  Experiment  Setup. 


Number  of  walking  nodes: 

2000 

Moving  speed 

[1,4] 

Pause  time  distribution 

Exponential 

Wireless  transmission 

Bluetooth  (10m) 

Vulnerability  ratio 

60% 

Running  time 

24  hours 

Mobility  radius1 

10m,  100m,  500m,  1km 

1.  Each  node’s  mobility  trace  is  generated  based  on  a  partial  map 
with  a  given  mobility  radius  in  UDelModels. 

Fig.  8  illustrates  the  botnet  size  as  a  function  of  the  elapsed 
time  with  vulnerability  ratio  n=60%  and  mobility  radius 
<r=10m,  100m,  500m,  and  1km.  We  note  from  Fig.  8  that  when 
the  mobility  radius  a  is  100m,  500m,  or  1km,  the  botnet  size 
also  exhibits  quadratic  growth  over  time,  similar  to  Fig.  5. 
However,  when  ct=10m,  the  botnet  size  does  not  increase  as 
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Fig.  7.  2km x  2km  map  in  downtown  Chicago 

used  in  experiments  (Courtesy  of  [22]). 


Fig.  8.  Size  of  the  botnet  over  time  with  mobility 
radius  a=10,  100m,  500m,  and  1km. 


Fig.  9.  The  tail  distribution  of  the  eventual  botnet 
size  exhibits  an  exponential  decay  when  mobility 
radius  a  =  10m. 


time  increases,  indicating  the  malware  propagation  will  stop 
eventually  due  to  insufficient  mobility. 

Fig.  9  shows  the  tail  distribution  of  the  eventual  botnet 
size  when  ct=10m  on  linear-log  scales.  We  can  observe  from 
Fig.  9  that  the  tail  distribution  of  the  botnet  size  exhibits 
approximately  a  straight  line.  As  any  exponential  function 
exhibits  a  straight  line  on  linear-log  scales,  Fig.  9  demonstrates 
that  without  sufficient  mobility,  the  botnet  propagation  can 
eventually  stop  with  final  size  exponentially  distributed,  which 
validates  the  theoretical  prediction  in  Theorem  2.  Due  to  the 
exponential  decay  of  the  size  of  such  a  botnet,  we  can  expect 
that  it  is  not  likely  to  infect  a  very  large  number  of  vulnerable 
nodes  and  make  significant  impacts. 

IV.  What  Is  the  Impact  of  A  Mobile  Botnet? 

By  compromising  mobile  nodes,  a  mobile  botnet  can  lead 
to  either  individual  impacts  (e.g.,  blocking  the  use  of  mobile 
devices  [1]),  or  global  impacts  (e.g.,  denial-of-service  attacks 
[2]).  From  the  perspective  of  reliable  network  operations, 
the  denial-of-service  impact  is  much  more  severe  than  the 
individual  impacts.  Therefore,  in  the  following,  we  focus  on 
the  denial-of-service  impact  of  a  mobile  botnet.  Our  objective 
is  to  investigate  what  is  the  impact  of  a  botnet,  in  which 
all  compromised  nodes  flood  service  requests  to  a  service 
provider  to  launch  denial-of-service  attacks.  We  first  model 
how  service  requests  from  mobile  nodes  are  processed,  then 
propose  the  metric  of  last  chipper  time  to  measure  the  impact. 

A.  Modeling  Mobile  Service  Processing 

When  mobile  nodes  move  around  in  the  network,  they 
connect  to  a  service  provider  via  infrastructure  nodes  for 
service  requesting  and  processing,  as  shown  in  Fig.  1.  When 
a  service  request  is  delivered  to  a  service  provider,  it  will 
be  immediately  processed  by  the  service  processing  center. 
Nowadays,  many  service  processing  centers  feature  a  cloud 
computing  paradigm  [23],  [24]:  the  data  processing  will  be 
partitioned  into  different  tasks,  which  are  assigned  to  distinct 
computing  units;  then  outputs  of  all  tasks  are  combined.  In 
this  paper,  we  also  consider  such  a  cloud  processing  model  as 
our  mobile  service  application.  In  what  follows,  we  will  use 
the  cloud  and  the  service  processing  center  interchangeably  to 
denote  the  entity  that  processes  service  requests  from  mobile 
nodes. 


Fig.  10.  The  processing  delay  versus  constant  cloud  load  L  in  Hadoop  and 
Storm  with  different  numbers  of  computers  M  used  in  the  cloud. 


At  first  glance,  it  appears  that  performance  modeling  for 
cloud  processing  is  similar  to  a  conventional  waiting  queue, 
in  which  one  or  few  users  can  be  served  and  the  others  are 
waiting  in  the  queue.  Nonetheless,  cloud  processing  can  be 
quite  different  in  that  the  cloud  supports  concurrent  processing 
(similar  to  the  CPU  sharing  model)  [23],  [25]:  when  a  service 
request  arrives,  the  cloud  directly  allocates  the  shared  com¬ 
putational  resources  (e.g.,  CPU  time)  for  it  instead  of  making 
the  user  waiting.  Such  a  concurrent  processing  mechanism  is 
widely  used  in  current  cloud  processing  frameworks  [26],  [27]. 
Therefore,  a  large  amount  of  concurrent  service  requests  can 
be  processed  in  the  cloud  at  the  same  time.  The  more  the 
concurrent  users  (the  heavier  the  cloud  load),  the  longer  the 
processing  delay.  To  find  out  the  relation  between  the  cloud 
processing  delay  and  the  number  of  concurrent  users,  we  adopt 
an  experimental  approach  in  a  small-scale  cloud  based  on  the 
two  popular  Hadoop  [26]  and  Storm  [27]  platforms. 

We  set  up  a  small-scale  cloud  consisting  of  up  to  8  com¬ 
puters  with  Intel  Core  i5  2. 67 GHz.  The  cloud  is  installed  with 
Hadoop  1.0.2  and  Storm  0.7.4.  Fig.  10  shows  the  processing 
delay  Dp  as  a  function  of  constant  cloud  load  L  (which  is  the 
number  of  concurrent  service  requests  being  processed  in  the 
cloud  at  the  same  time)  for  different  numbers  of  computers 
M.  We  can  observe  that  for  both  Hadoop-based  and  Storm- 
based  systems,  there  is  approximately  a  linear  relation  between 
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Dp  and  L ,  i.e.,  Dp  w  kL ,  where  the  slope  fc  is  a  decreasing 
function  of  M,  showing  that  the  more  the  computing  resources 
in  the  cloud,  the  less  the  processing  delay.  Accordingly,  we 
assume  in  this  paper  that  Dp  =  kL  for  any  constant  load  L, 
and  define  C  =  l/k  as  the  cloud  capability,  which  can  be 
considered  as  an  indicator  to  represent  the  maximum  number 
of  service  requests  that  can  be  finished  in  the  cloud  per  second. 

With  parameter  C,  we  can  obtain  Dp  =  L/C  for  any 
constant  load  L.  In  practice,  however,  the  cloud  load  L  is  a 
stochastic  process  due  to  network  traffic  dynamics,  making  the 
processing  delay  Dp  a  random  variable.  It  has  been  shown  that 
the  cloud  processing  delay  exhibits  a  heavy  tail  property  [24] . 
Combining  the  constant  load  observation  in  Fig.  10  and  the 
heavy  tail  property,  we  define  the  following  stochastic  cloud 
processing  model. 

Definition  3  (Service  Processing):  Let  C  be  the  cloud  ca¬ 
pability  and  L(t)  be  the  average  cloud  load  at  time  t.  The 
cloud  processing  delay  Dp  has  a  heavy  tail,  i.e.,  F(DP  >  d)  = 
6(d)d~ PW  with  mean  L(t)/C ,  where  (3(t)  is  some  positive 
power-law  parameter  at  time  £,  and  6(d)  is  a  slowly- varying 
function  satisfying  lim^oo  6(cd)/6(d)  =  1  for  constant  c. 

B.  Impact  of  A  Botnet  on  Mobile  Services 

After  we  formulate  the  service  processing  model  in  Def¬ 
inition  3,  we  can  investigate  the  impact  of  a  mobile  bot¬ 
net  on  mobile  services.  We  consider  the  scenario  where  all 
compromised  nodes  in  a  botnet  flood  service  requests  to  the 
cloud.  In  particular,  the  botnet,  by  keeping  infecting  more 
nodes  and  flooding  more  requests,  can  gradually  increase 
the  cloud  load  and  reduce  service  availability  for  legitimate 
services.  This  means  that  for  any  real-time  mobile  service, 
the  probability  that  a  legitimate  service  request  is  processed 
on  time  is  gradually  decreased.  We  are  interested  in  how  fast 
such  a  botnet  attack  process  can  take  down  the  service.  As  a 
result,  we  define  the  metric  of  last  chipper  time  as  follows. 

Definition  4  (Last  Chipper  Time):  If  a  mobile  botnet  starts 
propagation  at  time  0,  the  last  chipper  time  Ti  is  the  last  time 
that  a  required  ratio  (a  <  1)  of  mobile  service  requests  can 
still  be  processed  on  time  under  the  botnet  attack,  i.e., 

Ti  =  sup {t  >  0  :  P(Dp  <  d)  >  cr}.  (10) 

With  the  metric  of  last  chipper  time  in  (10),  we  state  our 
main  result  on  the  impact  of  a  mobile  botnet. 

Theorem  3:  If  a  mobile  botnet  can  keep  evolving  in  the 
network,  the  last  chipper  time  7}  of  a  mobile  service  with 
requirement  cr  satisfies 

T,  =  o(lA/£log(l/(l-a))),  (11) 

where  B  is  the  network  bandwidth. 

Proof:  According  to  Definitions  3  and  4,  we  have 

Ti  =  sup{t  >  0  :  6(d)d~^^  >  1  —  cr} 

<  sup {t  >  0  :  sup {0(d)}<Tm  >  1  -  a},  (12) 

where  sup{#(<i)}  =  0(1)  (property  of  slowly-varying  func¬ 
tions)  and  /3(t)  is  the  power-law  parameter  at  time  t.  From 


the  power-law  property,  the  average  processing  delay  can  be 
represented  as  0(1  )((3(t)  —  1  )/((3(t)  —  2).  From  Definition  3, 
the  average  load  can  be  written  as 

L  =  Ce(l)(/?(i)-l)/(/J(i)-2).  (13) 

On  the  other  hand,  the  average  load  L  is  the  sum  of  the 
average  load  of  legitimate  requests  Li  and  the  average  load 
induced  by  attacks  La,  i.e., 

L  =  Lt  +  La.  (14) 

To  calculate  La,  we  first  obtain  from  Theorem  1  that  the 
average  botnet  size  E|<S(£)|  is  at  most  0(£2). 

In  addition,  compromised  nodes  can  flood  service  requests 
to  the  service  processing  center.  How  many  service  requests 
they  can  exactly  send  to  the  center  depends  on  the  network 
access  schemes  and  network  bandwidth  B.  No  matter  what 
access  scheme  the  network  has,  the  maximum  bandwidth 
available  for  a  node  is  always  no  greater  than  network  band¬ 
width  B ,  which  indicates  the  rate  of  flooded  requests  at  each 
compromised  node  is  always  upper  bounded  by  0(B). 

Therefore,  the  average  load  induced  by  attacks  La  at  the 
service  processing  center  is  at  most 

La  =  CTE(|S(t)|0(B))  =  Ct20{B).  (15) 

Then,  It  follows  from  (13),  (14),  and  (15)  that 

/3(t)=2  +  l/(t20(B)).  (16) 

Inserting  (16)  into  (12)  completes  the  proof.  □ 

Theorem  3  shows  that  if  a  botnet  can  keep  evolving  in  the 
network,  the  last  chipper  time  decreases  at  most  on  the  order  of 
1/y/B.  It  has  already  been  predicted  in  existing  work  [1]  that 
the  risk  of  mobile  malware  attack  increases  with  the  improved 
bandwidth  in  future  wireless  networks.  Theorem  3  gives  an 
interesting  assessment  on  how  such  a  risk  is  boosted.  For 
example,  LTE  advanced  is  planned  to  improve  the  LTE  uplink 
speed  10  times  (from  50  Mbps  to  500  Mbps).  It  follows  from 
Theorem  3  that  for  the  same  mobile  service,  its  last  chipper 
time  in  LTE  advanced  will  become  around  one  third  of  the 
time  in  LTE  (1/v/IO  w  1/3).  This  means  that  in  order  to 
make  some  impact  in  LTE  advanced,  a  botnet  only  needs  to 
propagate  one  third  of  the  time  that  it  spends  in  LTE. 

Remark  4:  It  is  worthy  of  note  that  the  decrease  on  the 
order  of  1/ y/B  of  the  last  chipper  time  relies  on  the  condition 
that  all  infected  nodes  attempt  to  saturate  the  network  channel 
to  launch  attacks.  If  they  attack  at  a  constant  rate  that  does  not 
depend  on  B ,  the  last  chipper  time  should  not  be  affected  by 

B.  Therefore,  practical  networks  must  always  deploy  attack 
detection  and  rate-limiting  schemes  to  prevent  infected  nodes 
from  flooding  service  requests  at  the  saturated  rate.  However, 
we  do  believe  that  the  decrease  on  the  order  of  1/y/B 
represents  the  worst-case  scenario  that  should  be  considered 
for  any  risk  assessment  of  mobile  botnets. 

C.  Experimental  Evaluation 

We  also  use  experiments  to  measure  the  last  chipper  time. 
We  first  present  the  setups,  then  discuss  the  results. 


1 )  System  Setups:  We  set  up  a  small-scale  cloud  that  con¬ 
sists  of  8  computers  running  over  the  Storm  framework  [27]. 
As  shown  in  Fig.  11,  the  cloud  is  connected  to  a  simulation 
server  that  simulates  a  wireless  network  environment. 
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server  the  network 


Fig.  11.  A  small-scale  cloud  is  connected  to  a  network  simulation  server. 


Network  Setup:  We  place  25  access  points  with  equal  space 
on  the  2km x  2km  map  shown  in  Fig.  7  to  provide  full  wireless 
coverage  with  802.11  DCF.  The  transmission  range  of  access 
points  and  mobile  nodes  is  300  m.  The  network  bandwidth 
varies  from  1  to  54  Mbps.  Mobile  nodes  move  around  based 
on  UDelModels  traces  in  Section  III-C.  They  send  service 
requests  to  their  nearest  access  points.  These  service  requests 
are  delivered  from  the  simulation  server  to  the  cloud  for  real¬ 
time  processing.  Then,  the  processed  results  in  the  cloud  are 
sent  back  to  mobile  nodes  in  the  simulation  environment. 

Service  Setup:  Mobile  nodes  use  a  location-aware  service 
[28],  [29]:  they  send  their  location/mobile  sensing  data  via 
access  points  to  the  cloud,  and  obtain  processed  results  from 
the  cloud  every  5  s.  The  size  of  service  requests  is  800  bytes, 
the  size  of  processed  results  is  1200  bytes,  and  the  processing 
delay  requirement  for  each  request  is  2  s  at  the  cloud. 

Botnet  Setup:  The  vulnerability  ratio  k  =  60%,  We  randomly 
choose  one  node  in  the  network  as  the  initially  infected  node 
that  propagates  malware  to  others  at  time  0.  To  launch  denial- 
of- service  attacks,  all  infected  nodes  attempt  to  saturate  the 
network  channel  by  keep  sending  service  requests  to  the  cloud. 

2)  Experimental  Results  and  Discussions:  Fig.  12  shows 
the  last  chipper  time  as  a  function  of  network  bandwidth  B 
for  service  requirement  a=  70%,  80%,  90%,  and  95%.  The 
mobility  radius  of  each  node  is  100m.  We  can  observe  from 
Fig.  12  that  the  last  chipper  time  does  decrease  as  B  increases. 
For  example,  for  requirement  cr=95%,  when  B  goes  from 
10MHz  to  40MHz  (4  times),  the  last  chipper  time  decreases 
from  14.6  hours  to  7.5  hours  (almost  halved).  This  can  be 
well  predicated  in  Theorem  3:  the  last  chipper  time  7}  can  be 
written  as  0{l/s/B),  and  if  B  increases  4  times,  Ti  will  be 
reduced  to  one  half  of  the  original  value. 

Fig.  13  illustrates  the  last  chipper  time  as  a  function  of 
network  bandwidth  B  for  mobility  radius  ct=10m,  500m,  and 
lkm.  The  service  requirement  is  set  to  be  cr=90%.  First,  we 
see  from  Fig.  13  that  regardless  of  different  mobility  radii,  the 
last  chipper  time  always  decreases  as  network  bandwidth  B 
increases.  Second,  Fig.  13  shows  that  more  node  movement 
does  help  the  propagation  of  malware  infection,  and  the  last 
chipper  time  decreases  accordingly  with  a  becoming  larger. 

We  conclude  from  Figs.  12  and  13  that  the  last  chipper 
time  is  0(l/y/B),  as  predicted  in  Theorem  3,  and  the  more 
the  mobility  radius,  the  smaller  the  last  chipper  time. 


Fig.  12.  Last  chipper  time  with  Fig.  13.  Last  chipper  time  with 
different  service  requirements.  different  mobility  radii. 


V.  Conclusions 

In  this  paper,  we  investigated  how  mobile  botnets  evolve  via 
proximity  infection  and  their  impacts.  We  found  that  the  size 
of  a  mobile  botnet  can  either  increase  quadratically  over  time 
or  be  exponentially  distributed  with  finite  mean.  In  addition, 
we  also  defined  the  metric  of  last  chipper  time  to  measure 
the  last  time  that  a  mobile  service  is  still  feasible  under 
botnet  attacks.  Our  findings  in  this  paper  not  only  provide 
a  theoretical  foundation  to  explain  discrepant  experimental 
results  of  mobile  malware  propagation  in  the  literature,  but 
also  offer  quantitative  risk  assessment  on  potential  denial-of- 
service  impacts  of  botnet  attacks  in  mobile  networks. 
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Appendix 

Lemma  1:  For  a  mobile  botnet  evolving  in  the  network,  its 
average  size  E|5(£)|  =  0(£2)  for  nX(2a  +  r)2  larger  than 
some  constant,  i.e.,  nX(2a  +  r)2  =  0(1). 

Proof:  First  we  discretize  the  entire  network  into  hexagonal 
cells  with  radius  2 a  +  r.  In  what  follows,  we  introduce 
necessary  definitions  to  facilitate  our  proof.  We  call  a  cell  is 
infected  if  there  is  at  least  one  infected  node  (e.g.,  say  node  A) 
in  the  cell,  and  call  an  infected  cell  is  open  if  there  are  at  least 
one  node  in  a  nearby  cell  that  is  vulnerable  to  infection  and 
whose  home  point  is  within  the  reachable  distance  (i.e.,  2 a-\-r) 
to  the  home  point  of  the  vulnerable  node  (i.e.,  node  A).  If  a 
cell  is  not  open,  it  is  called  closed.  For  two  open  cells,  we 
say  they  are  directly  connected  if  they  are  neighbors  to  each 
other,  and  indirectly  connected  if  there  exists  a  path  between 
them,  on  which  all  cells  are  open.  Fig.  14  illustrates  how  we 
discretize  the  entire  network  into  open  and  closed  cells. 

Without  loss  of  generosity,  assume  that  the  initially  infected 
node  is  in  cell  0  in  Fig.  14.  A  necessary  condition  for 
E 1 5(f)  |  =  @(t2)  is  that  there  must  be  infinitely  many  open 
cells  (directly  or  indirectly)  connected  to  cell  0  in  order  for 
malware  propagation  to  go  on.  For  example,  malware  in  cell 
0  shown  in  Fig.  14  is  propagated  to  six  neighbor  cells  (1- 
6),  called  the  first-generation  cells,  in  which  cells  2-6  are 
open  and  cell  1  is  closed.  Then,  malware  in  open  cells  2- 
6  can  be  propagated  farther  to  their  neighbor  cells  8-18  (the 
second-generation),  in  which  cells  7,  8,  15,  and  17  are  closed. 


Fig.  14.  Network  discretization. 


Fig.  15.  Example  of  an  open  cell. 


The  open  cells  in  the  second  generation  can  repeat  the  same 
infection  process  to  the  third  generation,  and  so  on. 

Denote  by  p  the  probability  that  a  cell  is  infected  by  its 
neighbor  and  is  also  open  (i.e.,  the  newly  infected  cell  can  also 
propagate  the  malware  to  some  other  cells)  and  denote  by  S\ 
the  number  of  open  neighbor  cells  in  the  first-generation  cells. 
We  can  obtain  5i  is  binomially  distributed  with  parameters  6 
and  p,  i.e.,  Si  ~  binomial (6,  p).  Let  S2  be  the  number  of 
second-generation  cells  that  are  open.  Then,  conditioned  on 
Si,  S2  is  also  binomially  distributed  with  parameters  Si  and 
p,  i.e.,  S2  ~  binomial (ciS  1 ,  p)  for  some  constant  ci,  where 
ci  is  called  cell  expansion  ratio  and  ci  >  1.  Similarly,  we 
have  Si+i  ~  binomial (ciS \ ,  p),  for  all  i  >  1. 

Accordingly,  we  have  E(5i+i|5i)  =  CiSip,  and  the  to¬ 
tal  number  of  connected  open  cells  can  be  represented  as 

YZiSi  =  ESi 6p':n;=1c,  >  qYJLNpY’  where  e  = 

min{c^}  >  1.  This  shows  that  there  will  be  infinitely  many 
connected  open  cells  if  ep>  1,  where  p  is  the  probability  that 
a  cell  is  open.  For  a  particular  cell,  as  shown  in  Fig.  15,  it  is 
surely  open  if  there  is  at  least  one  vulnerable  node  in  each  of 
areas  1-12.  This  implies  that  a  cell  is  open  with  probability 
P  >  (i_e-^«(2a+r)2/4)i2  Therefore,  there  will  be  infinitely 
many  connected  open  cells  if  e(l  —  e-^«A(2a+r)2/4ji2  > 
which  means  that  nX(2 a +  r)2  =  Q,(1). 

To  further  show  how  \S(t)\  increases  when  nX(2 a  +  r)2  = 
0(1),  let  G(t)  be  the  max  number  of  cell  generations  that 
the  infection  process  has  reached  at  time  t.  Then,  the  total 
number  of  infected  cells  can  be  written  as  Ylf=i  Si(t),  where 
Si(t)  is  the  number  of  infected  cells  at  time  t  for  generation  i. 
Accordingly,  we  have 

E|«S(i)|  >  nyffSiit)).  (17) 

z — Jl=l 

The  wait  time  between  two  cells  depends  on  when  two 
nodes  in  the  cells  meet  each  other  and  it  has  already  been 
shown  that  in  any  bounded  domain,  the  inter-meeting  time 
of  two  nodes  is  exponential  distributed  [30].  Therefore,  the 
wait  time  to  propagate  the  malware  from  one  cell  to  another 
is  also  exponentially  distributed,  based  on  which  G(t)  can  be 
shown  as  a  continuous  Markov  process  with  intervals  decaying 
exponentially  fast.  It  follows  from  the  elementary  renewal 
theorem  that  lim^oo  G(t)/t  =  0(1)  and  therefore  G(t)  = 
0(f).  Similarly,  we  can  show  that  Si(t)/t  =  0(1).  Then, 
it  follows  from  (17)  that  E|5(£)|  >  tE  Si(t)/tj  = 

£E  ©(!))  >  tO(t)  =  0(£2),  which  shows  that 

E|5(t)|  =  0(t2).  □ 


